* [PATCH] HID: core: detect and skip invalid inputs to snto32()
@ 2020-12-17 1:12 Randy Dunlap
2021-01-08 13:52 ` Jiri Kosina
0 siblings, 1 reply; 2+ messages in thread
From: Randy Dunlap @ 2020-12-17 1:12 UTC (permalink / raw)
To: linux-kernel
Cc: Randy Dunlap, syzbot+1e911ad71dd4ea72e04a, Jiri Kosina,
Benjamin Tissoires, linux-input
Prevent invalid (0, 0) inputs to hid-core's snto32() function.
Maybe it is just the dummy device here that is causing this, but
there are hundreds of calls to snto32(0, 0). Having n (bits count)
of 0 is causing the current UBSAN trap with a shift value of
0xffffffff (-1, or n - 1 in this function).
Either of the value to shift being 0 or the bits count being 0 can be
handled by just returning 0 to the caller, avoiding the following
complex shift + OR operations:
return value & (1 << (n - 1)) ? value | (~0U << n) : value;
Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-input@vger.kernel.org
---
drivers/hid/hid-core.c | 3 +++
1 file changed, 3 insertions(+)
--- lnx-510.orig/drivers/hid/hid-core.c
+++ lnx-510/drivers/hid/hid-core.c
@@ -1307,6 +1307,9 @@ EXPORT_SYMBOL_GPL(hid_open_report);
static s32 snto32(__u32 value, unsigned n)
{
+ if (!value || !n)
+ return 0;
+
switch (n) {
case 8: return ((__s8)value);
case 16: return ((__s16)value);
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] HID: core: detect and skip invalid inputs to snto32()
2020-12-17 1:12 [PATCH] HID: core: detect and skip invalid inputs to snto32() Randy Dunlap
@ 2021-01-08 13:52 ` Jiri Kosina
0 siblings, 0 replies; 2+ messages in thread
From: Jiri Kosina @ 2021-01-08 13:52 UTC (permalink / raw)
To: Randy Dunlap
Cc: linux-kernel, syzbot+1e911ad71dd4ea72e04a, Benjamin Tissoires,
linux-input
On Wed, 16 Dec 2020, Randy Dunlap wrote:
> Prevent invalid (0, 0) inputs to hid-core's snto32() function.
>
> Maybe it is just the dummy device here that is causing this, but
> there are hundreds of calls to snto32(0, 0). Having n (bits count)
> of 0 is causing the current UBSAN trap with a shift value of
> 0xffffffff (-1, or n - 1 in this function).
>
> Either of the value to shift being 0 or the bits count being 0 can be
> handled by just returning 0 to the caller, avoiding the following
> complex shift + OR operations:
>
> return value & (1 << (n - 1)) ? value | (~0U << n) : value;
>
> Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split")
> Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
> Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com
> Cc: Jiri Kosina <jikos@kernel.org>
> Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
> Cc: linux-input@vger.kernel.org
> ---
> drivers/hid/hid-core.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> --- lnx-510.orig/drivers/hid/hid-core.c
> +++ lnx-510/drivers/hid/hid-core.c
> @@ -1307,6 +1307,9 @@ EXPORT_SYMBOL_GPL(hid_open_report);
>
> static s32 snto32(__u32 value, unsigned n)
> {
> + if (!value || !n)
> + return 0;
> +
Given the fact that this has been in the code basically since ever, we're
probably fine, but it's good to have this fixed nevertheless. Applied
conservatively to hid.git#for-5.12/core.
Thanks,
--
Jiri Kosina
SUSE Labs
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-01-08 13:52 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-17 1:12 [PATCH] HID: core: detect and skip invalid inputs to snto32() Randy Dunlap
2021-01-08 13:52 ` Jiri Kosina
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.